我们使用的自定义启动器已经包含WebSevurityConfigurerAdapter。
此启动器用于多个项目。
我有一个项目,只能由一个称为COORDINATOR的特定角色访问。
我在项目中加入了WebSecurityConfigurerAdapter,但是我总是被禁止使用(即使我以正确的角色登录)。
@Configuration
@Order(0)
@RequiredArgsConstructor
@EnableWebSecurity
public class LocalSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.headers()
.frameOptions().disable()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/**").access("hasAuthority('ROLE_COORDINATOR')");
}
}
@Configuration
@RequiredArgsConstructor
@EnableWebSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class AbcdConfigurerAdapter extends WebSecurityConfigurerAdapter {
....
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(createPreAuthenticatedAuthenticationProvider());
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors()
.and()
.csrf().disable();
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry =
httpSecurity
.addFilterAfter(buildJ2eePreAuthenticatedProcessingFilter(), J2eePreAuthenticatedProcessingFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionFixation().none()
.and()
.rememberMe().alwaysRemember(true)
.and()
.authorizeRequests();
//Enable swagger-ui
registry.antMatchers("/swagger-ui").hasAnyRole("ADMIN", "PREVIOUS_ADMINISTRATOR");
//apply exclusions
registry.antMatchers(
"/",
"index.html",
"/css/**",
"/webjars/**",
"/js/**",
"/fonts/**",
"/actuator/**"
).permitAll();
}
}
有人可以告诉我为什么这会失败吗?